Facebook's Ongoing Legal Saga with Power Ventures Is Dangerous To Innovators and Consumers

As Facebook turned ten years old last month, a legal case it brought against Power Ventures almost six years ago demonstrates the continued hurdles facing developers who seek to empower users to interact with closed services like Facebook in new and creative ways. In a new amicus brief, we caution the Ninth Circuit Court of Appeals not to extend crippling civil and criminal liability on services that provide competing or follow-on innovation.

Power Ventures made a web-based tool that allowed users to log into all of their social networking accounts in one place and aggregate messages, friend lists, and other data so they could see all their information in one place. To promote its service, it offered a $100 reward to users who could invite, through the Facebook Events system, a certain number of friends to sign up for Power's service. Because of the way Facebook designed its Events system, the messages appeared to come from Facebook directly, although the messages clearly identified the individual user who sent the invitation, as well as Power's service. Facebook eventually blocked one of several IP addresses Power used to connect to Facebook, and Power eventually stopped allowing Facebook users to use Power's service.

In 2008, Facebook sued Power, claiming it had violated the Computer Fraud and Abuse Act (CFAA) and California Penal Code § 502 when it allowed users to access Facebook data after it blocked a specific IP address Power was using to connect to Facebook data. Facebook also claimed that Power violated the CAN-SPAM Act, the federal law that prohibits sending commercial emails with materially misleading information, when Power encouraged users to invite their friends to try Power. We've filed a number of amicusbriefs in this case, arguing that Facebook's theories of liability were wrong and dangerous, and that users have the right to choose how they access their data.

While the district court initially agreed with us that Facebook could not prove a CFAA violation by merely showing that Power violated Facebook's terms of service, it nonetheless ruled in 2012 that Power was liable to Facebook under the CFAA and CAN-SPAM and, in 2013, ordered Power to pay more than $3 million in damages to Facebook, a significant amount that was remarkably less than the staggering $18 million Facebook initially sought. Power is now bankrupt and the case is before the Ninth Circuit, where we again filed an amicus brief in support of Power.

On the CFAA claims, our brief explains working around an IP address block is a common non-criminal act in most instances. The CFAA is intended to go after hackers who circumvent technical restrictions in order to access data they are not otherwise entitled to, not users who utilize a third-party service to access their own data. Plus circumventing a technical block merely enforcing Facebook's terms of service is not a violation of the CFAA. The only way to determine whether Power was violating the CFAA was to look at Power's motivation for working around Facebook's IP block. Here, the facts were in dispute: Facebook claimed Power was trying to circumvent the IP block, but Power claimed its business practice was to use multiple IP addresses and when one was blocked, it stopped trying to access Facebook. But the court never resolved this factual dispute, instead finding that using technology that merely has the capability to circumvent a technical restriction—regardless of what the technology actually did circumvent or regardless of the user's motivation for trying to circumvent—is enough to violate the CFAA. This is a dangerous idea, criminalizing innovations like Power's service, and turning Facebook users that used Power to access their own data into criminals.

Facebook's CAN-SPAM claims are just as dangerous. Congress passed CAN-SPAM to go after big time spammers who hide their identities in order to bombard users with malware and phishing schemes. Captive email systems like Facebook's, where a user has no control over the header information of the message, were not contemplated in CAN-SPAM, which was signed into law on December 16, 2003—two months before Facebook was even launched. Plus the messages weren't misleading since a Facebook user that got an invitation knew all three parties to the communication: the friend who sent the invite, Facebook who facilitated the message, and Power who's service was being promoted. But by finding Power liable, the lower court puts all Facebook users who use Events at unreasonable legal risk. For example, if a Facebook user is in a band and, using Facebook Events, invites friends to a local show with a small cover charge, that user has arguably sent a "misleading" commercial message under CAN-SPAM because, even though the friend sent the message, the header information will show the message came from Facebook. That user could be guilty of a crime and liable for a significant financial penalty for every message sent. This is an absurd interpretation of the law that criminalizes routine Internet behavior.

Facebook's claims here are dangerous, threatening to put the power of law—including serious criminal penalties—behind Facebook and other companies' anti-competitive decisions to thwart consumer choice and innovation that doesn't meet their approval. The information put into a social networking site belongs to the user, who should be able to access, export, and aggregate the data as they please. Hopefully the Ninth Circuit will understand and appreciate this, reversing a lower court decision that equates consumer choice with legal risk.

Related Updates

Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use. In an amicus brief filed with today, EFF urged the court to weigh...

Rep. Blake Farenthold (R-Texas) and Jared Polis (D-Colo.) just re-introduced their You Own Devices Act (YODA), a bill that aims to help you reclaim some of your ownership rights in the software-enabled devices you buy. We first wrote about YODA when it was originally introduced back in 2014...

Popular websites and apps like Facebook, Amazon and Instagram aren't coming after your first born, but they do intentionally draft privacy policies, terms of service and end user license agreements (EULAs) that they know (or hope) no one will ever read. "There's a clear advantage to them to being...

Rhode Island legislators recently decided not to advance a bill that would have made that state’s bad “anti-hacking” law even worse. This is good news. But the struggle continues against other vague and overbroad computer crime laws. As EFF previously explained, this Rhode Island bill was a threat...

One of the most crucial issues in the fight for digital freedom is the question of who will control the hardware that you have in your home, in your pocket, or in your own body. Have you ever been frustrated when a beloved feature was taken away in an update...

San Francisco—The Electronic Frontier Foundation (EFF) will urge a federal appeals court Wednesday to reject Facebook’s claims that it’s a crime to workaround an IP address block—an interpretation of the law that could criminalize routine online behavior. EFF Legal Fellow Jamie Williams will participate in oral argument in the case...

Update (mere hours later): Apple filed a reply to this brief that matches our position that the government has overreached. Here's the relevant part: The fact that Apple’s devices include software, and that such software comes with licensing requirements, does not change anything. See Reply at 13-15. Apple’s...

Senators Grassley and Leahy, the Chairman and Ranking Member of the Committee on the Judiciary, have published a letter to the Copyright Office asking it to analyze the impact of copyright law on “software-enabled devices” (such as cars, phones, drones, appliances, and many more products with embedded computer systems). This...

Digital rights group the Electronic Frontier Foundation’s new app will only be available for Android smartphones, in protest at the terms of Apple’s developer agreement for app makers. The EFF Alerts app will deliver news on its campaigns, and encourage people to “take...